fix: paid seated event attendee privacy #25258
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
keithwillcode
added
the
community-interns
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 6 files
Prompt for AI agents (all 2 issues)
Understand the root cause of the following 2 issues and fix them.
<file name="apps/web/modules/bookings/views/bookings-single-view.tsx">
<violation number="1" location="apps/web/modules/bookings/views/bookings-single-view.tsx:169">
The Stripe polling loop always reloads the page every 2s until payment succeeds, so a failed/slow payment traps the user in an infinite reload loop.</violation>
<violation number="2" location="apps/web/modules/bookings/views/bookings-single-view.tsx:429">
Wrap the new "Processing payment" headline in t() so it participates in localization.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
anikdhabal
requested changes
Nov 26, 2025
Contributor
anikdhabal
left a comment
anikdhabal
left a comment
There was a problem hiding this comment.
In order to fix this issue, let's follow these steps:
- Store the paymentId in the bookingSeat table.
- After a successful payment, query the seat using the passed paymentId to find the attendee/seat, and then send them an email
…delivery - Add paymentId field to BookingSeat model for direct payment tracking - Update createNewSeat to link payment after seat creation - Update RegularBookingService to link payment for first seat bookings - Modify handlePaymentSuccess to use paymentId for accurate attendee identification - Update getBooking to include paymentId in bookingSeat queries - Add database migration for new paymentId column with unique index This fixes the race condition where payment webhooks arriving out of order could cause confirmation emails to be sent to the wrong attendee in paid seated events. Now each seat directly references its payment for accurate identification.
Contributor
There was a problem hiding this comment.
2 issues found across 7 files
Prompt for AI agents (all 2 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/features/bookings/lib/payment/getBooking.ts">
<violation number="1" location="packages/features/bookings/lib/payment/getBooking.ts:45">
Attendee phone numbers are fetched from Prisma even though the data is never used here, which unnecessarily exposes extra PII and goes against the guideline to select only required fields.</violation>
</file>
<file name="packages/prisma/migrations/20251127144146_add_payment_id_to_booking_seat/migration.sql">
<violation number="1" location="packages/prisma/migrations/20251127144146_add_payment_id_to_booking_seat/migration.sql:14">
Drop the redundant non-unique index on BookingSeat.paymentId; the unique index already covers lookups on this column and avoids extra storage/write overhead.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
packages/prisma/migrations/20251127144146_add_payment_id_to_booking_seat/migration.sql
Outdated
Show resolved
Hide resolved
- Remove redundant regular index on BookingSeat.paymentId (unique index already provides lookup capability) - Remove unused phoneNumber field from getBooking query (data never used in CalendarEvent) - Regenerate migration with optimized schema This reduces storage overhead and write operations while maintaining performance.
Contributor
There was a problem hiding this comment.
1 issue found across 7 files
Prompt for AI agents (all 1 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/prisma/schema.prisma">
<violation number="1" location="packages/prisma/schema.prisma:1629">
`paymentId` is marked `@unique`, preventing multiple seats from referencing the same payment. Group bookings usually share one payment record, so subsequent seats will violate the unique constraint and fail to save. Drop the uniqueness so all seats in a booking can link to the same payment.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
…nt-attendee-privacy
Contributor
There was a problem hiding this comment.
2 issues found across 7 files
Prompt for AI agents (all 2 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/prisma/schema.prisma">
<violation number="1" location="packages/prisma/schema.prisma:1629">
`paymentId` is intended to point to `Payment`, but it is just a plain Int column with no foreign-key relation, so invalid/nonexistent payment IDs can be stored and Prisma cannot traverse `bookingSeat.payment`. Declare a relation to `Payment` so referential integrity is enforced.</violation>
</file>
<file name="packages/app-store/_utils/payments/handlePaymentSuccess.ts">
<violation number="1" location="packages/app-store/_utils/payments/handlePaymentSuccess.ts:114">
Email confirmation disabling logic for hosts and attendees duplicates `packages/features/bookings/lib/handleConfirmation.ts` and several other files. This logic should be extracted into a shared utility function.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
Contributor
E2E results are ready! |
anikdhabal
reviewed
Nov 27, 2025
packages/features/bookings/lib/handleSeats/create/createNewSeat.ts
Outdated
Show resolved
Hide resolved
Comment on lines
+1
to
+4
| /* | ||
| Warnings: | ||
| - A unique constraint covering the columns `[paymentId]` on the table `BookingSeat` will be added. If there are existing duplicate values, this will fail. |
Member
Author
There was a problem hiding this comment.
This warning is normal and expected when adding a unique constraint. Since paymentId is a new column being added by this migration, there are no existing values in the database to conflict - all existing rows will have paymentId = NULL, which is allowed for unique constraints.
The migration will run successfully without any issues. This is just Prisma's standard safety reminder that appears whenever adding a unique constraint to warn about potential duplicate data (which doesn't apply in our case).
- Fix seatsShowAttendees default from undefined to false to prevent unintended attendee hiding - Remove unnecessary comments from createNewSeat for cleaner code
Contributor
There was a problem hiding this comment.
1 issue found across 7 files
Prompt for AI agents (all 1 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/features/bookings/lib/service/RegularBookingService.ts">
<violation number="1" location="packages/features/bookings/lib/service/RegularBookingService.ts:1838">
Attach the newly created bookingSeat to the attendee identified by the per-seat responses (email/phone), not always to the booker email, so that seat-specific emails/webhooks target the correct attendee.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
Contributor
|
This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Visual Demo
Tested for both scenarios
Screen.Recording.2025-11-19.at.3.07.46.PM.mov
Summary by cubic
Fixes attendee privacy for paid seated events by sending seat-specific notifications after payment and honoring seatsShowAttendees. Addresses #25256 and CAL-6782 to prevent exposing other attendees’ details to each buyer.
Bug Fixes
Migration
Written for commit 16b0760. Summary will update automatically on new commits.